MAINNETBETA

uniswap.org

uniswap.org
4.0MODERATEmedium
6 sectionsrun #1
Findings1 critical10 high19 medium
DEPGOVTKNAUDCTR
Last analyzed 16d ago runs

Summary

Uniswap is a battle-tested AMM spanning v1–v4 with roughly $2.77B TVL across 40+ chains and no verified production exploit of audited v2/v3/v4 core contracts since 2018. On-chain governance uses UNI token voting through Governor Bravo with a verified 2-day Timelock, and swap entrypoints like UniversalRouter and Permit2 are immutable with no owner. The main risks are not in the core swap math but in the expanding perimeter: cross-chain factory control depends on Wormhole and Axelar bridges (a guardian compromise could bypass DAO control on remote chains), v4 permissionless hooks run unaudited third-party code inside the swap pipeline, and contract addresses are not uniform across chains — on Base, the canonical CREATE2 address hosts an unrelated 'Recover' contract, not the real factory. Post-UNIfication tokenomics add net inflationary pressure (~20M UNI/year issuance vs ~4–5M burns) while the Timelock holds 27% of supply. Overall risk is moderate (4.0/10).

Trust Assumptions

Users trust that audited v2/v3/v4 core contracts and immutable periphery (UniversalRouter, Permit2) behave as designed; that UNI governance with its 10M-proposal threshold and 2-day Timelock will not pass malicious proposals altering factories, minting, or Governor logic; that Wormhole's 19-guardian set and Axelar validators will not sign fraudulent cross-chain governance messages; that integrators use chain-specific factory addresses from official SDKs rather than assuming CREATE2 parity; that liquidity providers in v4 pools independently vet hook contracts before depositing; and that Uniswap Labs' interfaces route users to correct on-chain contracts rather than impersonators.

What Could Go Wrong

A Wormhole guardian-set compromise (precedent: Feb 2022, $325M) could forge VAAs that execute unauthorized factory parameter changes on BSC, Celo, or other Wormhole-governed chains without passing through the Ethereum Timelock. A malicious or buggy v4 hook could drain liquidity from pools that opt into it — Cork Protocol lost $11–12M and Bunni $8.4M via hook flaws, validating this composability risk. Integrators or users assuming the Ethereum V3 factory address (0x1F984…) on Base would interact with an unverified 'Recover' impersonator, not Uniswap. Governance could mint up to 2% of supply annually (20M UNI under the approved growth budget), outpacing programmatic fee burns and diluting holders. A passed governance proposal could upgrade Governor Bravo implementation or redirect the 272M UNI Timelock treasury without any independent multisig veto.

Recommendation

Uniswap is suitable for significant trading and LP exposure on v2/v3 and on v4 pools without custom hooks, given seven years of operation and zero audited-core production exploits. Treat v4 hook pools as unaudited third-party integrations — verify hook bytecode before providing liquidity. Always confirm factory and router addresses per chain via official SDK documentation; never assume cross-chain address parity. Monitor Wormhole guardian-set changes, cross-chain governance bridge health, and UNI governance proposals affecting minting, fee switches, or Governor upgrades. Reduce exposure on Wormhole-governed L1 deployments (BSC, Celo) relative to Ethereum mainnet if bridge risk tolerance is low. UNI holders should track whether the 20M UNI/year growth budget continues to exceed Firepit burns, creating net supply inflation.

Key Findings (30)

critical
Wormhole guardian-set compromise is a governance takeover vectorbridge
high
Six Core Contracts Unverified in Pipelineverification
high
Base CREATE2 Address Hijacked by Unverified Contractcontracts
high
Cross-Chain Factory Control Depends on Third-Party Bridgescross-chain
high
Governance Bridge Asymmetry Across Chainscross-chain
high
Base CREATE2 address hijacked by unrelated Recover contractcontracts
high
v4 third-party hook contracts execute inside audited core flowprotocol
high
v4 hooks are third-party code outside Uniswap audit scopeaudit-gap
high
Cross-chain governance bridge wrappers lack dedicated auditaudit-gap
high
April 2020 ERC777 Reentrancy on Uniswap V1 imBTC Poolincident
high
July 2022 Phishing Campaign — $8M LP NFT Theftincident
medium
Governor Bravo Delegatecall Proxy Upgradable by Timelockupgradability
medium
Cross-Chain Factory Ownership Depends on Bridge Receiversgovernance
medium
v4 Hooks Enable Per-Pool Untrusted Code Executionarchitecture
medium
No Multisig on Core Governance Contractscentralization
medium
Governor Implementation Upgrade Path Existsupgrade
medium
Wormhole Sender Contract Source Unverified Locallycontracts
medium
Treasury Holds 27% of Total Supplyconcentration
medium
Exchange Custody Concentration — Binance ~5.5%concentration
medium
Inflation Authority Active — 2% Annual Mint Capemission
medium
Net Inflationary Pressure — 20M Issuance vs ~4–5M Burnsemission
medium
Governance Power Concentration — Treasury Delegation Under Recallgovernance
medium
Labs–DAO Alignment Restructured Post-UNIficationincentive
medium
Cross-chain governance depends on two third-party bridges (Wormhole + Axelar)bridge
medium
Wormhole sender admin is timelock-only; receivers are immutablebridge
medium
Axelar InterchainProposalExecutor uses Ownable sender/caller whitelistsbridge
medium
Permit2 is immutable shared token-approval infrastructureprotocol
medium
Six pipeline contracts unverified on Etherscanaudit-gap
medium
Three v4 audit reports remain marked DRAFTaudit-gap
medium
v1 ConsenSys reentrancy finding never patched on-chainunfixed-finding

Analysis Sections

Uniswap uses on-chain UNI token voting via Governor Bravo with a 2-day Timelock (verified on-chain). Ethereum mainnet factories and v4 PoolManager trace to the Timelock through V3OpenFeeAdapter intermediaries. Cross-chain deployments use heterogeneous bridge paths—Wormhole receivers on BSC/Celo and canonical L2 bridge accounts on Arbitrum/Base/Optimism—with no local owner/admin on receivers. Bridge compromise or guardian failure could enable unauthorized remote factory control. No multisig protects core governance; Governor admin is the Timelock contract.

Findings (9)

highCross-Chain Factory Control Depends on Third-Party Bridges

Non-Ethereum v3 factory ownership is mediated by immutable bridge receiver contracts with no on-chain admin. BSC chain verified: V3OpenFeeAdapter (0x3F07F08b45912dCd6691C5B9412975D5113B2910) owner is UniswapWormholeMessageReceiver (0x341c1511141022cf8eE20824Ae0fFA3491F1302b), which executes governance messages relayed from Ethereum Wormhole Sender (0xf5F4496219F31CDCBa6130B5402873624585615a, Timelock-owned). Wormhole guardian compromise or fraudulent VAA signing could authorize unauthorized setOwner/enableFeeAmount calls on remote factories.

on-chain RPC (BSC)V3OpenFeeAdapter.owner() = 0x341c1511141022cf8ee20824ae0ffa3491f1302b; wormhole_receiver.owner() reverts (no admin)
on-chain RPC (Ethereum)UniswapWormholeMessageSender.owner() = 0x1a9C8182C09F50C8318d769245beA52c32BE35BC (Timelock)
contract sourceUniswapWormholeMessageReceiver: immutable messageSender, no owner(), 2-day MESSAGE_TIME_OUT_SECONDS
highGovernance Bridge Asymmetry Across Chains

Verified on-chain ownership patterns differ by chain: BSC uses Wormhole receivers; Arbitrum V3OpenFeeAdapter owner resolves to 0x2bad8182c09f50c8318d769245bea52c32be46cd (L2 address alias of Ethereum Timelock); Base and Optimism use separate CrossChainAccount-style bridge receivers (0x31fafd4889fa1269f7a13a66ee0fb458f27d72a9, 0xa1dd330d602c32622aa270ea73d078b803cb3518) with no owner()/admin(). Each path inherits distinct liveness, upgrade, and trust assumptions. A bridge failure on one chain does not affect others but leaves that deployment outside DAO control until migration.

on-chain RPCArbitrum adapter owner 0x2bad8182... = Timelock L1 (0x1a9c8182...) + 0x1111000000000000000000000000000000001111
Uniswap Foundation governance-processesPer-chain treasury addresses include Wormhole receivers and chain-specific bridge accounts
mediumNo Multisig on Core Governance Contracts

On-chain verification shows Timelock admin is Governor Bravo (contract), Governor admin is Timelock (contract), and neither is a Gnosis Safe—getOwners()/getThreshold() revert on both addresses. Governance changes require UNI holder votes (10M UNI proposal threshold, verified) plus 2-day Timelock delay. This is decentralized in structure but vulnerable to governance attacks (vote buying, low turnout) and whale coordination; there is no independent multisig safety layer.

on-chain RPC (Ethereum)Timelock.admin() = 0x408ed6354d4973f66138c91495f2f2fcbd8724c3; Governor.admin() = 0x1a9c8182c09f50c8318d769245bea52c32be35bc
on-chain RPC (Ethereum)getOwners()/getThreshold() revert on Timelock and Governor — not Gnosis Safe
mediumGovernor Implementation Upgrade Path Exists

GovernorBravoDelegator stores admin as Timelock and exposes _setImplementation() callable only by admin. Any successful governance proposal routed through the Timelock can swap the Governor delegate logic, altering quorum rules, voting parameters, or execution behavior. Admin is not an EOA (verified), so upgrades require full proposal lifecycle—but a malicious or mistaken passed proposal could reparameterize governance without a separate safeguard.

contract sourceGovernorBravoDelegator._setImplementation: require(msg.sender == admin)
on-chain RPC (Ethereum)Governor storage slot 0 admin = Timelock; slot 2 implementation = 0x53a328f4086d7c0f1fa19e594c9b842125263026
mediumWormhole Sender Contract Source Unverified Locally

Ethereum UniswapWormholeMessageSender (0xf5F4496219F31CDCBa6130B5402873624585615a) is listed as unverified in the pipeline contract cache, though on-chain owner() confirms Timelock ownership. Without verified source, outbound governance message encoding and access controls cannot be fully audited from disk. This is the sole outbound bridge for Wormhole-governed chains.

VERIFICATION_STATUS.mdethereum 0xf5f4496219f31cdcba6130b5402873624585615a — unverified
on-chain RPC (Ethereum)owner() = 0x1a9C8182C09F50C8318d769245beA52c32BE35BC
lowV3OpenFeeAdapter Intermediary Between Timelock and Factories

Ethereum v3 factory owner is V3OpenFeeAdapter (0xf2371551fe3937db7c750f4dfabe5c2fffdcbf5a), not the Timelock directly. Adapter owner() = Timelock (verified). v4 PoolManager (0x000000000004444c5dc75cb358380d2e3de08a90) is owned directly by Timelock. The adapter layer adds a contract hop for fee-switch logic; compromise of the adapter (not owner-updatable without Timelock) would affect factory fee parameters only.

on-chain RPC (Ethereum)V3Factory.owner() = 0xf2371551fe3937db7c750f4dfabe5c2fffdcbf5a; V3OpenFeeAdapter.owner() = Timelock; PoolManager.owner() = Timelock
info2-Day Timelock Delay Verified On-Chain

Timelock storage slot 2 reads 172800 seconds (2 days). Contract enforces MINIMUM_DELAY = 2 days, MAXIMUM_DELAY = 30 days, GRACE_PERIOD = 14 days. setDelay() and setPendingAdmin() require msg.sender == address(this), meaning delay changes must themselves pass through a queued Timelock transaction.

on-chain RPC (Ethereum)eth_getStorageAt(Timelock, slot 2) = 0x2a300 = 172800 seconds
contract sourceMINIMUM_DELAY = 2 days; MAXIMUM_DELAY = 30 days; GRACE_PERIOD = 14 days
infoGovernor Bravo Parameters Verified

On-chain Governor Bravo storage: proposalThreshold = 10,000,000 UNI (1e25 wei); votingDelay = 13,140 blocks (~2 days); votingPeriod = 40,320 blocks (~7 days); proposalCount = 97; timelock = 0x1a9C8182C09F50C8318d769245beA52c32BE35BC. UNI token has no owner()/admin() and fixed 1B supply. Governance is fully on-chain token voting (not Snapshot-only).

on-chain RPC (Ethereum)Governor slots: votingDelay=13140, votingPeriod=40320, proposalThreshold=10M UNI, proposalCount=97
on-chain RPC (Ethereum)UNI owner()/admin() revert; totalSupply = 1,000,000,000 UNI
infoWormhole Receivers Are Immutable and Permissionless to Relay

BSC and Celo UniswapWormholeMessageReceiver contracts have no owner/admin functions. receiveMessage() is publicly callable by any relayer once a valid Wormhole VAA is obtained. Security relies entirely on Wormhole guardian set verification, emitter address matching Ethereum sender, monotonic sequence enforcement, and 2-day message timeout. Celo receiver contract bytecode present (8392 bytes); BSC receiver bytecode present (14068 bytes).

contract sourcereceiveMessage() public payable; MESSAGE_TIME_OUT_SECONDS = 2 days; no admin role
on-chain RPCowner()/admin() revert on BSC receiver 0x341c1511141022cf8ee20824ae0ffa3491f1302b

Governance Checklist

On-chain token voting (Governor Bravo)97 proposals executed; not Snapshot-only
Timelock on execution (2-day delay)Verified via storage slot: 172800 seconds
Multisig (not EOA) on admin rolesAdmin is Governor↔Timelock contract loop, not Gnosis Safe
Uniform cross-chain governanceWormhole (BSC/Celo) vs L2 canonical bridges (Arb/Base/OP)
Bridge receivers have no local adminImmutable trust-minimized design; bridge security is external dependency
Core governance contracts verifiedGovernor Bravo, Timelock, UNI, Wormhole receivers verified
Wormhole sender verifiedSource unverified in pipeline cache; Timelock ownership confirmed on-chain

Verified Ownership Chain

ChainContractOwner (verified)Control Path
EthereumUniswapV3FactoryV3OpenFeeAdapterTimelock → Adapter → Factory
EthereumPoolManager (v4)TimelockDirect Timelock ownership
EthereumWormhole SenderTimelockOutbound cross-chain messages
BSCUniswapV3FactoryV3OpenFeeAdapterWormhole Receiver → Adapter → Factory
BSCWormhole ReceiverNone (immutable)Wormhole VAA from Ethereum sender
ArbitrumUniswapV3FactoryV3OpenFeeAdapterTimelock L2 alias → Adapter → Factory
BaseUniswapV3FactoryV3OpenFeeAdapterCrossChainAccount → Adapter → Factory
OptimismUniswapV3FactoryV3OpenFeeAdapterCrossChainAccount → Adapter → Factory
CeloWormhole ReceiverNone (immutable)Wormhole VAA from Ethereum sender

On-Chain Governance Parameters

Proposal Threshold
10,000,000 UNI
Voting Delay
13,140 blocks (~2 days)
Voting Period
40,320 blocks (~7 days)
Timelock Delay
2 days
Timelock Grace Period
14 days
Proposal Count
97
Wormhole Message Timeout
2 days
Loading dependency graph…

Analysis History

#1completed4.016d agocurrent